Consultant's Corner: Secure Thoughts for an Open World

Editor's Note: The views expressed by the author are his own, and do not necessarily reflect the views of Novell, or Cool Solutions.

"Oh beautiful for spacious skies ... now those skies are threatening." Here in the United States, we treasure our freedom. Yet, as you may have recently read the National Security Agency (NSA, or "spooks," as some movies portray them) has been working with at least 3 major phone companies in the United States, under the guise of protecting our freedoms from terrorists, by "data mining" domestic-to-domestic phone calls. (http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm) In other words, they were tracking any number called from a cell phone or hard-line phone to any other phone inside the United States. A definite violation of the peoples trust, not to mention the 1934 Telecommunications Act. As an American, I have to ask: "Who is protecting us from them (US Government)?"

And while I was writing this article 26.5 million Veterans of the United States military were having their personal information stolen! (http://news.yahoo.com/s/ap/20060522/ap_on_go_ca_st_pe/veterans_disk). Apparently, an employee of Veterans Affairs "improperly brought material home." Key drives, laptops and other such devices really do make guarding your data difficult. Employees are a security risk to data as well.

I also recently read an article in American Way Magazine (American Airlines in-flight trade rag) that spam, spyware, phishing and online fraud are going to continue to increase. This is according to Christopher Faulkner founder of CI Host, a web-hosting and data-center management company. He further stated, "We're starting to see cyber-extortion, where hackers mine data from a business' computer and then threaten to release it unless the business pays." Great, just one more thing network administrators must consider while securing their organization's network.

These three items led me to wonder: what happened to the days when we only said "it's not safe to go outside?" Nowadays, it's also not safe to be online, for individual or business. More and more, security is becoming the number one focus for individuals and businesses. During my grad school days I spent time studying security in the information world. Now I am not a security specialist by any means, but I have a good layman's understanding of how to secure a data center. The security principles are the same now as they were then.

As you can imagine, I took these two items, thought about them from a GroupWise point of view, and came up with this article. I hope to provide you with a few thoughts to consider in order to secure your GroupWise system from the dangerous Open world we live in. There are several layers to security. I will cover a few broad points then work my way into a some GroupWise settings that can be used to strengthen security.

Physical Access

Physical access (as opposed to Meta-Physical Access) is about "touching it." There are many levels or rings of physical access. The first level is getting near the data center - like into the parking lot. The second level is getting in the data center building, and the third level is accessing the data center room where all the fun computers and data are stored. The fourth level is having access to the machines and the data stored on them.

Let's look at an example of how physical access can be secured. Before you can get to a building where a data center exists you must pass a guardhouse - level one. Once your auto is parked, you walk to the building and use an ID card to access the building - level two. Next you head to the data center and must punch in a code or use an ID card or a biometric device like a thumb print reader - level three. At the machine, you must use a password to unlock the console - level four. Simple. The stronger your level one, the weaker your levels two through four seemingly must be to protect from intruders outside the organization. However, much data theft comes from employees or spies disguised as employees inside the organization. Therefore, levels three and four must be strengthened.

Realistically, most organizations use passwords and ID cards as the primary way to control physical access. These are the cheapest and the easiest to implement. They are also the easiest to steal or hack. Given technological advances today, most data can be stolen without setting foot in a data center. This brings me to network access.

From the outside, the first level is the firewall. Second is the DMZ (created by having two firewall layers). The third level is securing what devices can access your network. Once you allow a PDA to access your network, you now have to make sure that its wireless connection is secured. The fourth level is the good old user name and password. This could include biometrics as well. Within these considerations sit the VPNs and remote desktop connectivity.

GroupWise Security

This brings us to GroupWise security. There are many things built into GroupWise to help the administrator secure it. However, they must be implemented to work properly. Let's look at securing GroupWise, from the simple to the complex.

Passwords - Use them. I cannot count the number of organizations that I have consulted for that did not have passwords for GroupWise! Those forcing passwords would allow users to cache them, or to pass by them because the user was logged into eDirectory. As an administrator, you have the ability today in GroupWise to strengthen passwords.

In the figure above, you see the default implementation of password security for GroupWise. Notice it allows password caching, eDirectory authentication instead of the GroupWise password, and single sign-on. As a consultant, I recommend my customers uncheck all of these. Force the user to log in to GroupWise every time.

If you allow password caching then any user can access any other users mailbox from a machine where the password is cached. If you allow eDirectory authentication instead of a password, user B can access user A's mailbox from the eDirectory-logged-in workstation that user A did not lock after stepping away. Of course, these assume post office level security is set to LOW.

Post Office Security Level - By default this is set to LOW. This allows users to access their mailboxes without a password, and it works in conjunction with the aforementioned Client Security Options. You can set the Post Office Security Level in the properties of the post office, under the GroupWise tab in the Security window. Once you set it to HIGH, you will want to set a High Security option - either eDirectory or LDAP, or both. When you choose LDAP, you must then set the LDAP parameters - and you will want to enable LDAP for the GroupWise system in ConsoleOne | Tools | GroupWise System Operations. The figure below shows the Help screen for Post Office Level Security:

Figure 2: Post Office Security Level Help

Figure 3: Post Office Level Security

Intruder Detection - Set it! I have never seen this set at any customer site! It's such an simple security measure. By default it is not enabled. Once set, you can configure the Incorrect Login Allowed, the Incorrect Reset Timer and the Lockout Reset Time.

Figure 4: Post Office Intruder Detection

LDAP - Turn it on and reap the rewards. By default GroupWise creates LDAP servers, but they are not properly configured nor correctly implemented. Once LDAP is implemented properly users will only need to remember one password - their eDirectory password. With LDAP implemented, during login the post office will accept their eDirectory password. LDAP in GroupWise works like a passthrough or hand-off. The post office knows that it will accept LDAP, so it looks to the LDAP server and, in this case, eDirectory servers are LDAP servers.

Not only does it make this easy on the end user, but it also can help the administrator strengthen passwords on GroupWise. Because the eDirectory password is used to access a mailbox, the eDirectory password attributes apply to the GroupWise mailbox. An administrator can now have the GroupWise (actually eDirectory) password expire, or force a change of password, or any of the other features for password management in eDirectory.

There are two additional items that can further strengthen the LDAP implementation. One is to set SSL on the LDAP servers. The second requires the purchase of a third-party product that increases the features of the eDirectory password. For example, a company named DreamLAN (www.dreamLAN.com) allows the administrator to set password policies (such as, the password must contain at least one letter, one number, and one character, etc.). Of course, this then applies to the GroupWise password.

SSL - It does exist and will work for you, so use it. Well, at least use it for WebAccess and for any POA's that you place in a DMZ or outside a firewall. GroupWise already has a 40-bit propriety encryption key, so there's no need to implement SSL for POA's and MTA's inside the organization's firewall. That's not necessary, and it will slow down the GroupWise system. However, it's a must for the WebAccess Application (Apache/Tomcat web server), the front-facing portion of WebAccess. After all, you do not want to pass a password or text across the Internet in an unsecure fashion.

Certificates - These are for securing messages outside the GroupWise system. If your organization is in need of a solution to secure messages that flow across the Internet to other organizations (including non-GroupWise systems), then certificates are your answer. The best example of this would be a hospital that communicates patient information via e-mail to another hospital. HIPPA requires patient data be secured. Certificates work on the premise of encrypted keys and S/MIME. Frankly, in my 11+ years of working with GroupWise, I have never had a request to implement certificates. In my humble opinion, however, this will change as cyber-extortion increases.

This brings me to the end of this secure journey. As you can see, there are many levels of security outside of GroupWise to consider and many more security features inside GroupWise to implement. Now it's your turn. Take a look at your GroupWise system and see how you can increase the security to protect your organization from all the dangers out there. "The end of the innocence" has arrived. Now is the time to secure GroupWise, among other things.

As always, I can be reached at Gregg@HinchmanConsulting.com if you have any comments or article ideas, or if you just want to help a quirky consultant support his GroupWise habit.